> Am 19.11.2019 um 13:39 schrieb Vineet Banga <vineetba...@google.com>: > > Let me restate my original question. I agree with the usage of state for CSRF > protection, but it can also be used to capture the application state (as > specified in: [I-D.bradley-oauth-jwt-encoded-state]). I am asking if there is > any recommendation between using state for both csrf and application state > Vs. relying completely on redirect URIs to maintain application state. > > As an OAuth provider, I lean towards avoiding long and dynamic list of > redirect URIs. But I do understand that using state for both CSRF protection > and application state adds burden on clients/app developers.
got you, thanks for the clarification. I would recommend to use PKCE for CSRF prevention and state for representing the application state. best regards, Torsten.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
